Most organizations spend vast sums on information technology to gather, manipulate, store, and use the information and data they gather. Yet, as these authors point out, managing this resource entails protecting it and complying with all laws and regulations. The authors prescribe ten best practices that should allow an organization to protect its data and comply with the law.

Earlier this year, the TJ Maxx group of companies (TJX), which includes the HomeSense and Winners stores, was left scrambling after hackers stole and used customer data, including credit and debit card information. As a result of this transgression, and of accusations by the U.S. Federal Trade Commission (FTC) that TJX handled its data improperly, the stock price for the company took a drop of over 5%1. This is notable for the fact that it is significantly more than the average drop of 2.1% that researchers recently calculated for other hacked companies.2

TJ Maxx joins a growing group of organizations whose managers do not safeguard or use employee and customer data adequately, and in doing so, expose their company to considerable financial risk. According to the Privacy Rights Clearinghouse, the security and privacy of over 100 million records have been compromised in 474 security breaches worldwide since February 15, 2005 – the day that ChoicePoint, a U.S.-based consumer records company, provided over 150,000 records to fraudsters. For its laxity, ChoicePoint paid $15 million in fines and restitution.3

AN INFORMATION-HANDLING CHECKLIST:

Does every manager and employee in the organization know which privacy legislation applies, and how it applies to information?

Does the organization have an appropriate privacy officer?

Do policies and practices reflect the 10 principles PIPEDA is based on?

Is the information collected by the organization reasonably required?

Does the organization safeguard information when it is accessed, used, and stored by third parties?

Does the organization have policies and procedures in place for employees to access their information?

Are there clear policies on the use of information systems? Have they been communicated to employees and consistently enforced?

Have managers considered how other statutory and contractual privacy rights apply to the organization?

Is there a contingency in place if information systems are seized?

Does the organization identify and protect privileged legal information?

Unfortunately, this situation is only going to worsen. The first 34 days of 2007 saw 35 security breaches, and over 725,000 private records compromised. At this rate, we can expect nearly 400 breaches and 10 million records compromised this year alone.

What are companies doing about it? If TJ Maxx, ChoicePoint and many others are to be believed, the answer is very little, save extensive damage control after the fact – the Internet equivalent of locking the corral gate after all the horses have bolted. Almost all of an organization’s critical information is now kept electronically. The sad truth is that many organizations have not fully-considered the privacy and security implications surrounding these data in developing and deploying their enterprise information systems.

Only a portion of potential liability to organizations over the use of their information systems comes from external threats. While these threats are real, organizations that focus only on external threats do so at their peril. Managers must realize that there are potential legal claims and issues that may arise from how information is used internally, particularly as employees and unions assert privacy rights which may conflict with management rights. Organizations need to ensure that, in addition to safeguarding their data, they develop appropriate controls on how information is used and disclosed by people in their organizations.

In this article, our goal is to identify the legal issues that should be considered in the development of enterprise information systems. We aim to provide senior managers and boards with a succinct checklist or oversight document that they can then use to engage their Chief Information Officers (CIOs) and auditors in meaningful dialogues about the security and privacy of data in their organizations.

There are 10 critical things managers should be aware of.

1. An organization’s use of information is governed by specific legislation

PIPEDA – the Personal Information and Protection of Electronic Documents Act was enacted in April, 2000 by the Canadian federal government. As of January 2004, it applies to the collection, use and disclosure of personal information by any organization in the course of commercial activity within a province and all personal information in all interprovincial and international transactions. The only exception occurs if a province has passed privacy legislation which is deemed to be “substantially similar” to PIPEDA. That legislation then applies to provincially regulated companies, except in respect of transborder transactions. Table 1 outlines the various pieces of legislation that apply to the different types of organizations in each province. Only Quebec, British Columbia and Alberta have passed privacy legislation regulating the private sector which is substantially similar to PIPEDA. Every jurisdiction has enacted its own legislation regulating privacy rights and access to information in the public sector.

Not following the applicable legislation means that an organization is breaking the law. Each law has different rules, requirements, and penalties. It is critical that managers know which piece of legislation applies to the organization and that they comply with that legislation. For example, an individual or organization knowingly violating certain sections of PIPEDA can be charged with an indictable offence and a fine of up to $100,000 (PIPEDA, section 28).

2. PIPEDA requires that an organization have a privacy officer

Every business needs to have a designated individual (commonly referred to as a privacy officer), not only for the practical purpose of keeping track of all of the legal restrictions on the use of information, but also because PIPEDA (schedule 1, section 4.1) states that an “organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the… principles [set out in PIPEDA].”

Ideally, this should not be the organization’s Chief Information Officer (CIO). It may not be realistic to assume that one individual can handle the demands of both managing information systems and the obligations of a privacy officer. The privacy officer plays an important regulatory and compliance role in the organization – one which may conflict with the CIO’s priorities. The privacy officer has to ensure that all departments in the organization are complying with PIPEDA, and serves as the contact person with outside organizations and individuals seeking access to information. It is a job that goes beyond monitoring how electronic information is gathered, stored, manipulated and used within the organization and requires the development of and implementation of clear policies and practices. Further, the privacy officer must investigate and respond to complaints about how the organization uses information.

3. PIPEDA is based on ten principles4

An organization’s obligation under PIPEDA goes far beyond protecting personal information from external threats. Safeguarding information is only one of the ten principles on which PIPEDA is based. While information technology security is important, organizations must ensure that information policies and practices meet all of the following PIPEDA principles:

Be accountable

Identify the purpose for collecting information

Obtain consent from the individual the information is about

Limit collection to what is reasonably needed for the purpose

Limit use, disclosure and retention to what is reasonable needed

Be accurate

Use appropriate safeguards to protect information

Be open about the organization’s privacy practices and procedures

Give individuals access to their information

Provide recourse for individuals with complaints or inquiries

4. PIPEDA significantly restricts the collection of information

A significant number of complaints made under PIPEDA are about the collection of information in ways that managers might otherwise think are reasonable. The Office of the Privacy Commissioner of Canada has found that the following instances constituted inappropriate collection of personal information:

Banks requiring customers to provide a Social Insurance Number5; a credit check6; and a birth date7 to open a bank account;

A courier company requiring customers to provide electronic signatures to receive parcels8;

An employer requiring employees to provide a medical note with a diagnosis for sick benefits9;

A bank requiring a customer to provide a Revenue Canada Notice of Assessment to qualify for a line of credit10;

An airline requiring customers to give their birthdate, SIN, and occupation to submit a claim for lost baggage11;

An employer installing video surveillance cameras that could be used to monitor employees12; and

A company using internet “cookies” for customers accessing its website13.

5. Organizations are responsible for the use of information they collect even if this information is not in their possession

If an organization outsources or uses third parties to provide payroll or human resources services, storage, customer relationship management (e.g. affinity programs) or process documents or records, it is still responsible for the use of that information. While the information may not be in an organization’s possession, it is considered to be in that organization’s control. The organization may be liable if the third party breaches PIPEDA with information provided to them.14

For example, the Canadian Imperial Bank of Commerce (CIBC) is being investigated by Canada’s privacy commissioner for a possible contravention of PIPEDA as a result of the loss of a backup data drive by its subsidiary, Talvest Mutual Funds, earlier this year. The drive in question was in transit between Montreal and Toronto. It contained personal and financial information (including date-of-birth and social insurance numbers) for 470,000 customers.15

This is the second critical data incident for CIBC in recent years. In 2005, the bank was investigated by the privacy commissioner for repeatedly faxing sensitive customer information to a junkyard operator in West Virginia, USA for three years.16

6. Individuals have a right to know how their personal information is used

PIPEDA requires the organization to provide individuals (upon request) personal information in the organization’s control, the ways in which this personal information is used, and the identities of any other organizations to which their personal information has been provided. As such, the organization needs to have policies in place to handle such requests.

In Alberta, B.C, and Quebec, and in federally-regulated businesses such as banks, telecommunications and transportation companies, employees have specific rights under privacy legislation to access their employment information17. Most collective agreements also contain similar provisions. This not only includes official personnel files, but also informal comments that supervisors may have made about employees in memos or e-mails. The organization must ensure that it tracks how personal information is used and who has access to that information. It must also have a policy and procedures on how to process these requests in a timely and accurate manner.

7. Senior Management MUST tell employees clearly how they can use information systems

Although it may seem obvious that employees should only use an organization’s information technology appropriately (e.g. by not accessing pornographic or other objectionable web sites), failure to clearly communicate standards and limitations on the use of technology can limit managers’ ability to discipline employees for such uses and may expose an organization to liability. Additionally, if senior managers have not told employees that they may monitor Internet usage, e-mail accounts, or computers, they are then violating their privacy if they do so. Canadian courts have recognized that employees have a reasonable expectation of privacy on employer computers used by employees. The organization needs to decide if it has a reasonable basis for monitoring employees’ use of information technology. If so, managers need to set criteria for what will be monitored and how, (i.e. bandwidth usage, visits to certain websites, or keyword searches of e-mails). These criteria must then be communicated, along with the reasons for and the limitations in the policy to employees, and consistently enforced across the organization.

8. There are other legal restrictions which might govern an organization’s use of information

Although PIPEDA is the most significant law which regulates how an organization uses information, other legislation and contracts also apply and, in some cases, override PIPEDA. For example, while the privacy legislation may restrict what information an employer can provide to a trade union about employees, it may be an unfair labour practice and a violation of the province’s Labour Relations Code to refuse to provide certain information to a union which represents employees. Conversely, while privacy legislation might permit the organization to use employee medical information in a particular way, the province’s Workers Compensation Act may prevent it from doing so. Other legislation, such as the Securities Act, may also restrict what financial information can be provided.

Other contracts and agreements, such as collective agreements with unions, can also contain additional restrictions. It is cold comfort to human resources managers to know that while the organization has met the requirements of privacy legislation, an arbitrator has found that a particular use of information violates the collective agreement.

Therefore, while the privacy protections of PIPEDA are important, they are not always paramount.

9. Information systems can be seized and organizations can be required to produce information

Aside from PIPEDA, both the criminal and civil legal systems contain mechanisms that can require organizations to produce information to another party or the police, often information they might prefer not to disclose. In exceptional circumstances, information systems can be seized without prior notice. Whether the organization is a defendant or plaintiff in a lawsuit, the rules of civil litigation allow the opposing party to require it to produce information that they believe may be relevant to issues in the litigation.

Although far less likely, the police and sheriffs acting under court orders can be granted the legal authority to seize information systems without notice in circumstances where advance notice of the seizure might lead to loss of the information sought. For example, police may obtain a search warrant against an organization’s computers to investigate breaches of obscenity laws, hate propaganda laws, or criminal harassment laws. Therefore, it is critical that the organization have a contingency plan in the event that such an order is exercised as it may find the police carting off its only server and vital workstations as evidence.

Neither the best firewall in the world or full compliance with PIPEDA will protect the interests of an organization if there is no contingency plan for the occasion when a sheriff or the police show up with a court order to seize computers, backup disks, servers and workstations.

10. Certain information is privileged and cannot be disclosed

The larger and more complex the organization, the more likely that its information systems contain communications with legal advisors, whether those advisors are lawyers in practice outside of the organization or lawyers employed by the firm. Information provided by lawyers, including legal opinions; managers’ communications with lawyers, including instructions; and other information provided to lawyers to prepare for litigation such as expert medical reports, are likely privileged information that an organization is not required to provide to an outside party. This includes the police or sheriffs acting under a court order. Solicitor-client privilege extends to voice mails, e-mails, letters, and even a lawyer’s bills. An organization must take steps to ensure that if it is required to produce information, this privileged information is protected and not disclosed.

Information is a critical resource, and most organizations spend vast sums on information technology to gather, manipulate, store, and present this information in a timely and accurate manner to decision-makers. However, management of this resource also entails protecting it, and complying with all laws and regulations. Failure to do so can have serious consequences, not only from a legal perspective, but also in terms of firm valuations and shareholder wealth. Good governance over information and information systems reduces risk, mitigates the impact of information disasters, lowers the cost of capital, and prevents disasters in disaster recovery.

Lau, K. “CIBC’s loss of back up drive hints at lack of safeguards,” IT World Canada, January 22, 2007. Available at http://www.itworldcanada.com/a/E-Government/cc412218-2e4e-4c22-9a75-d31412d693f2.html accessed February 26, 2007.